Meta, the parent company of Facebook and Instagram, has been hit with a $102 million fine (91 million euros) by the Irish Data Protection Commission (DPC) for a serious security lapse. The fine follows an investigation into a 2019 incident where Meta mistakenly stored users’ passwords in plain text without encryption, leaving sensitive data exposed.
Major GDPR breach and inadequate security measures
The investigation found that Meta violated several GDPR (General Data Protection Regulation) rules, including its failure to properly notify users about the breach and its use of inadequate technical measures to protect their data. Millions of passwords, including those of Instagram users, were improperly stored in plain text, which is a significant security risk. The exposed passwords could have been accessed by approximately 20,000 Meta employees.
Although the DPC confirmed that external third parties had no access to the exposed data, Meta’s failure to encrypt passwords violated critical GDPR data protection standards.
Passwords stored in plain text since 2012
According to the investigation, the security breach began in 2012, when Meta started storing users’ passwords in plain text on its servers. This created a major vulnerability, as the data was accessible to thousands of employees within the company. Meta initially disclosed the issue in January 2019, stating that only a limited number of passwords were affected. However, by February 2019, the company admitted that the problem was more extensive, including millions of Instagram passwords.
Though Meta never confirmed the exact number of affected users, a senior employee told Krebs on Security that up to 600 million passwords could have been exposed, prompting further regulatory scrutiny.
The consequences for Meta
The DPC concluded that Meta failed to notify the commission in a timely and appropriate manner and did not document the incident properly. Additionally, the company did not implement the necessary technical safeguards required to protect users’ passwords, violating GDPR regulations. In a statement, Graham Doyle, deputy commissioner of the DPC, emphasized, “Passwords are highly sensitive information, especially considering the risks associated with unauthorized access to social media accounts.”
In addition to the $102 million fine, Meta received an official reprimand from the DPC, a symbolic yet significant penalty that underscores the seriousness of the breach. The DPC’s final decision will be published soon, providing further details on Meta’s potential legal and financial consequences.
Importance of data security in the tech industry
This incident highlights the critical importance of personal data security and the need for tech giants like Meta to adopt proper measures to safeguard users’ sensitive information. As a result of this case, global data protection authorities are expected to intensify their oversight of cybersecurity practices in the tech industry.
Fact check: a closer look at the details
- Meta fined $102 million by the Irish DPC: Meta was indeed fined this amount due to security breaches involving unencrypted password storage.
- Incident dates back to 2012: Meta’s practice of storing passwords in plain text began in 2012 and persisted until the issue was discovered in 2019.
- Passwords potentially exposed to employees: The DPC confirmed that passwords were accessible to thousands of Meta employees but not to external third parties.
About Meta
- Meta (formerly Facebook): Founded by Mark Zuckerberg, Meta is the parent company of Facebook, Instagram, and WhatsApp. The company has faced numerous data privacy and security controversies over the years, including this recent breach, which has triggered significant regulatory action.
Conclusion: a lesson in accountability for tech companies
Meta’s $102 million fine serves as a stark reminder of the serious consequences of data breaches and the importance of strong security protocols. In an era where personal information is a valuable commodity, tech companies must prioritize the protection of user data to avoid the legal, financial, and reputational risks associated with privacy violations. This case also signals a growing trend of data regulators taking a hard stance on security lapses, further emphasizing the need for compliance with stringent data protection laws.
Leave a Comment